Adversaries using AdaptixC2 are likely establishing command and control communication through suspicious network traffic patterns associated with the detected IOCs. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify and mitigate potential compromise from advanced persistent threats leveraging AdaptixC2.
IOC Summary
Malware Family: AdaptixC2 Total IOCs: 4 IOC Types: ip:port
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| ip:port | 101[.]33[.]202[.]134:443 | botnet_cc | 2026-06-24 | 100% |
| ip:port | 95[.]81[.]79[.]153:8443 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 107[.]172[.]140[.]187:32333 | botnet_cc | 2026-06-24 | 75% |
| ip:port | 156[.]239[.]47[.]147:4221 | botnet_cc | 2026-06-23 | 75% |
// Hunt for network connections to known malicious IPs
// Source: ThreatFox - AdaptixC2
let malicious_ips = dynamic(["95.81.79.153", "156.239.47.147", "101.33.202.134", "107.172.140.187"]);
CommonSecurityLog
| where DestinationIP in (malicious_ips) or SourceIP in (malicious_ips)
| project TimeGenerated, SourceIP, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated desc// Hunt in Defender for Endpoint network events
let malicious_ips = dynamic(["95.81.79.153", "156.239.47.147", "101.33.202.134", "107.172.140.187"]);
DeviceNetworkEvents
| where RemoteIP in (malicious_ips)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName, ActionType
| order by Timestamp desc| Sentinel Table | Notes |
|---|---|
CommonSecurityLog | Ensure this data connector is enabled |
DeviceNetworkEvents | Ensure this data connector is enabled |
Scenario: Legitimate scheduled job using hunting package
Description: A system administrator schedules a daily job using the hunting package to analyze network traffic for security purposes.
Filter/Exclusion: Exclude processes where the command line includes --schedule or --cron and the user is a system admin (e.g., sudo or root).
Scenario: Admin task using hunting for threat hunting
Description: A security analyst runs the hunting package manually to investigate potential threats within the network.
Filter/Exclusion: Exclude processes initiated by users with the security or analyst role, or where the command line includes --hunting or --threat-hunt.
Scenario: Legitimate use of hunting for log analysis
Description: A log analysis tool uses the hunting package to parse and analyze system logs for anomalies.
Filter/Exclusion: Exclude processes where the command line includes --log or --analyze, and the parent process is a known log analysis tool (e.g., logstash, splunk).
Scenario: Package update using hunting
Description: A system update process includes the hunting package as part of a larger update or patching operation.
Filter/Exclusion: Exclude processes where the command line includes --update, --patch, or --upgrade, and the user is a system admin.
Scenario: False positive from a third-party security tool
Description: A third-party security tool includes the hunting package as part of its integration with internal systems, triggering the rule unintentionally.
Filter/Exclusion: Exclude processes where the parent process is a known third-party security tool (e.g.,